Jump to content

Continuous network usage by unknown process


rudrax
 Share

Recommended Posts

Lately, I've been observing that some process is using my bandwith countinuously even if I'm not running any app related to network usage. I also have all system processes like windows update and the live tiles are turned off. But the moment I connect my dial up connection and do nothing, the data counter starts ticking continuously and never stops leading my costly bandwidth to drain out.

Then I'm advised to use TCPview and using that I've found the culprit out and it's a svchost process. Below is the screenshot.

screenshot_1393391957.png

Turning that off, it disconnects the network connection. I wanna know if there is anything to get rid of the situation.

Link to comment
Share on other sites

  • Replies 14
  • Created
  • Last Reply

Top Posters In This Topic

  • avmad

    1

  • SnakeMasteR

    2

  • sirri

    2

  • rudrax

    4

Top Posters In This Topic

Turning that off, it disconnects the network connection. I wanna know if there is anything to get rid of the situation.

From a brief look you have the process connecting to a IP address in Malaysia mate.....

Have you run Malware Bytes to see if there are any hidden nasties around in your box?

Here are the results for that IP from Network-Tools.com

WhoisSecurity.com - security and privacy of whois records | Privacy.net reviews the free KeePass password safe.

IP address: 58.27.124.208

No host name is associated with this IP address or no reverse lookup is configured.Error:Host not found58.27.124.208 is from Malaysia(MY) in region Southern and Eastern Asia

TraceRoute from Network-Tools.com to 58.27.124.208

Hop (ms) (ms) (ms) IP Address Host name 1 0 0 0 8.9.232.73 8-1-18.ear1.dallas1.level3.net 2 111 111 111 4.69.145.254 vlan90.csw4.dallas1.level3.net 3 110 110 118 4.69.151.166 ae-92-92.ebr2.dallas1.level3.net 4 112 112 112 4.69.137.122 ae-3-3.ebr2.newyork1.level3.net 5 110 110 110 4.69.148.46 ae-92-92.csw4.newyork1.level3.net 6 110 110 110 4.69.134.77 ae-91-91.ebr1.newyork1.level3.net 7 110 110 110 4.69.137.69 ae-42-42.ebr2.london1.level3.net 8 111 111 111 4.69.143.81 ae-48-48.ebr2.amsterdam1.level3.net 9 110 110 110 4.69.153.202 ae-56-221.csw2.amsterdam1.level3.net 10 131 121 112 4.69.162.197 ae-230-3606.edge4.amsterdam1.level3.net 11 111 111 111 212.72.40.234 telekom-mal.edge4.amsterdam1.level3.net 12 Timed out Timed out Timed out - 13 Timed out Timed out Timed out - 14 Timed out Timed out Timed out - 15 305 304 305 58.27.124.208 -

Trace complete

Network IP address lookup:

Whois query for 58.27.124.208...

Results returned from whois.arin.net:

## ARIN WHOIS data and services are subject to the Terms of Use# available at: https://www.arin.net/whois_tou.html###'>https://www.arin.net/whois_tou.html### The following results may also be obtained via:# http://whois.arin.net/rest/nets;q=58.27.124.208?showDetails=true&showARIN=false&ext=netref2#NetRange:       58.0.0.0 - 58.255.255.255CIDR:           58.0.0.0/8OriginAS:       NetName:        APNIC-58NetHandle:      NET-58-0-0-0-1Parent:         NetType:        Allocated to APNICComment:        This IP address range is not registered in the ARIN database.Comment:        For details, refer to the APNIC Whois Database viaComment:        WHOIS.APNIC.NET or http://wq.apnic.net/apnic-bin/whois.plComment:        ** IMPORTANT NOTE: APNIC is the Regional Internet RegistryComment:        for the Asia Pacific region. APNIC does not operate networksComment:        using this IP address range and is not able to investigateComment:        spam or abuse reports relating to these addresses. For moreComment:        help, refer to http://www.apnic.net/apnic-info/whois_search2/abuse-and-spammingRegDate:        2004-05-04Updated:        2010-07-30Ref:            http://whois.arin.net/rest/net/NET-58-0-0-0-1OrgName:        Asia Pacific Network Information CentreOrgId:          APNICAddress:        PO Box 3646City:           South BrisbaneStateProv:      QLDPostalCode:     4101Country:        AURegDate:        Updated:        2012-01-24Ref:            http://whois.arin.net/rest/org/APNICReferralServer: whois://whois.apnic.netOrgAbuseHandle: AWC12-ARINOrgAbuseName:   APNIC Whois ContactOrgAbusePhone:  +61 7 3858 3188 OrgAbuseEmail:  [email protected]:    http://whois.arin.net/rest/poc/AWC12-ARINOrgTechHandle: AWC12-ARINOrgTechName:   APNIC Whois ContactOrgTechPhone:  +61 7 3858 3188 OrgTechEmail:  [email protected]:    http://whois.arin.net/rest/poc/AWC12-ARIN## ARIN WHOIS data and services are subject to the Terms of Use# available at: https://www.arin.net/whois_tou.html#

Results returned from whois.apnic.net:

% [whois.apnic.net]% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html% Information related to '58.27.100.0 - 58.27.127.255'inetnum:        58.27.100.0 - 58.27.127.255netname:        INFRA-TMNETcountry:        MYdescr:          TMNETadmin-c:        TA35-APtech-c:         TA35-APstatus:         ASSIGNED NON-PORTABLEchanged:        [email protected] 20070907mnt-by:         TM-NET-APsource:         APNICrole:           TMNET IP Administratorsaddress:        Telekom Malaysiaaddress:        Jalan Pantai Baru, Kuala Lumpur.country:        MYphone:          +6-1800-88-2646phone:          +603-83185434fax-no:         +603-22402126remarks:        [email protected]:        [email protected] [TMDirect]remarks:        [email protected] [Streamyx]remarks:        [email protected]:         [email protected]:        AS115-APtech-c:         SM135-APnic-hdl:        TA35-APmnt-by:         TM-NET-APchanged:        [email protected] 20070209changed:        [email protected] 20110325source:         APNIC% Information related to '58.27.64.0/18AS4788'route:          58.27.64.0/18descr:          TMnet route objectorigin:         AS4788mnt-by:         TM-NET-APchanged:        [email protected] 20090220source:         APNIC% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (WHOIS3)
Link to comment
Share on other sites

many possible :

1. try disable your AV /Firewall temporarily

2. stop BITS service

then see what it goes.

or you firstly run scan your lovely AV / Anti Malware.

good luck

cheers :wub:

Link to comment
Share on other sites

I think you should use a real firewall, other than windows firewall (comodo/agnitum) in order to control the processess accessing internet.

If you kill the process (svchost.exe) you probably will disable a bunch of services running.

GL!

Link to comment
Share on other sites

svchost could be a legitimate system file or a disguised malware .

Check the particular svchost with this svchost look up tool -- http://www.tweaking.com/content/page/tweaking_com_svchost_exe_lookup_tool.html

and

also check the hash of the svchost file in the Virustotal database to verify if it is a malware or simply use the VT uploader and scan it .

And use a firewall !

Link to comment
Share on other sites

You could try this... A program to see what all those svchost.exe are running. Ever wondered what all those svchost.exe processes are running ?? Well here is an app to tell you. It gives you some basic information like the Name and description. - No installation required. - Only requirement is that you have .net installed (ver 2.0 or newer). - Work in Windows XP (sp2) and Vista and Windows 7. - Coded in C#

nQoUqTJ.png

http://svchostviewer.codeplex.com/

Edited by clubhouse
Link to comment
Share on other sites

I have been Noticing exactly the same thing going on my System for a while but i never took it Seriously .. But now that you have Actually mentioned it, i think i will take time out to find out who or What is really using up my Bandwidth ... I will be following this Thread Closely to see the best way to Solve this Issue .. Cheers Guys ....

Link to comment
Share on other sites

Stopping and then disabling BITS service as suggested by sirri, seems working and the data counter isn't ticking when the connection is idle.

Special thanks to sirri :)

I will take the security measures suggested by other members though. Thank you all for replying. :D

VT says it completely safe, 0/50. So I don't think there is something to worry about.

Edited by rudrax
Link to comment
Share on other sites

rudrax, the most "riddled-by-spyware" member nsane has ever seen. Congratulations, buddy. Need update? :tehe: :lmao:

:spank:

Link to comment
Share on other sites

If you see lots of different IP adds using Svchost then you are infected and many people are using your computer as a vpn/proxy.

Not a good thing as who knows what they'll be doing on the net.

Link to comment
Share on other sites

Not only you... Its this the first time you are noticing this svchost process thing? man forget it, It has been there since the day of Windows XP. And the most annoying thing is when you close the process it then starts again, unless you shutdown your PC. Well its good you've raised this. Some experts will help. I will also have to do more research on it.

Link to comment
Share on other sites

So it's concluded that if you are not attacked by such malwares and spywares, the cause of the phenomenon is the BITS (Background intelligent transfer) service. Disabling you will fix the bug for you temporarily for the logged in session but it restarts again automatically whenever necessary. So this is a heck of a bandwidth hungry monster.

Can someone kick the [email protected] out of BITS's butts? :angry:

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...